Problem with too “fat” security token in Windows 2000\2003 AD infrasructure is known from long time. In basic words – security token is access token generated for each user during the logon process. In the process of building this token all SIDs for security groups user belongs too are added to this token. But hey … there is a limit, there can be only 1024 (cute, round number) of this SIDs in one token. If the number of SIDs in one token exceeds 1024 user can’t log on – that is basic explanation. If You want to get some deeper knowledge of this problem You should go to Microsoft Downloads page and download new document about access token limitations. From this document You will know how to identify such problem, diagnose and solve it. Together with this document You will find a patch described in KB 906208 article, with new functionality for ntdsutil.exe tool (You know this tool, don’t You) – Group Membership Evaluation. Group Membership Evaluation feature of ntdsutil lets You create report of user’s group membership which helps You identify list of groups in which this particular security principal is a member.

Meta

The information on this website is provided for informational purposes only and the authors make no warranties, either express or implied. Information in these documents, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user.

Active Directory, Microsoft, MS-DOS, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.